What is the best process to use ZAP to cover the OWASP top 10? Is my process doing it right?

[saman...@gmail.com]

Hello ZAP developer teams,

First off I want to thank you all all for providing this tool as an open source tool. I recently started a job as an automation QA Engineer. A bug part of my job is to learn about about the OWASP top 10 security threats.  My company has given me goals to complete a security scan using the the ZAP application

I have watch all the tutorials on youtube and played around with the ZAP application a ton over the last 2 months.

As you know this application has MANY MANY features , all which can be of great use to scan any vulnerabilities on a web site/application, at the same time for a beginner in security testing is can be a little overwhelming since there are so many options or at least appears there are.

My question is, can anyone of you guys help me out by guiding me to what features I should focus on mastering on the ZAP application to fulfill the OWASP top 10 threats?

Below is the process I am doing for my scans, if you can give me some feedback to help improve my process , it will be much appreciated:

1. Launch ZAP

2. Go through the web site I plan on doing penetration testing for

3. Click on all the links in the website

4. Run the spider to see if any hidden links were missed 

5  Create a custom context for my web applications I need to test:

                   The Context fields that I configured are:

a.       Include in Context – This will hold the URL of the web application that the security scanner will focus on. 

b.      Exclude from Context – This will have any URLs that the security scanner will ignore while scanning the web application.In my case I believe I put the url for the logout to exclude

c.       Authentication –A Form-based Authentication (since the web site requires a username and password)

                                                               i.      The target URL - the login page

                                                             ii.      Username Parameter

                                                            iii.      Password Parameter

                                                           iv.      Regex pattern parameter of either the logged in or logged out response messages. I like to use the logged in html tag since it has Welcome<myUsername> in the tag

                                                             v.      Users – enable my user name

                                                           vi.      Force User – will select the user I created to log in as while scanning the application

2. I also enable the "force user" icon which is the lock icon on top of the zap application

3. I then use the active scanner using the starting point URL with has an asterisk appended to it. Which from my understanding will scan any url that begins with the same string in this field

                a.  Within the active scanner I also select my context that I have configured from the step above

                b. I select the user I created in the context section

4. The only advance option I use is the Policy tab to set the default threshold and attack strength

5. Then I scan and once the scan is completed i generate the html report

Is this enough to cover the OWASP top 10 threats for now? I know that there are many more threats out there, but for now the focus by my company is to get the top 10 covered and then once I am more familiarized with the OWASP threats and teh ZAP application I can move to more advanced features in the application to help maximize the benefits of ZAP

Best Regards,

Sohail

[Simon Bennetts]

Hi Sohail,

We should definitely document this better, and this looks like a really good starting point :)
The OWASP Top Ten is a bit of a strange beast, and its not one that you can completely automate testing for, despite what some commercial companies might claim / imply ;)
I've written a summary of how you can use ZAP to test the Top 10 here: https://www.owasp.org/index.php/ZAPpingTheTop10 - as you will see a lot of the tests are manual :/

A couple of things I do when exploring an app, either manually or using one of the spiders:

• Check that ZAP recognises the session token, if not add it
  
• Check that ZAP recognises any anti CSRF tokens, if not add them
• Check that ZAP handles the structure correctly, if not configure it too
• Look for data base driven content, if present configure ZAP to handle it
  

If you do those things then you've probably covered all of the essential automated testing, unless anyone can suggest anything else?
After that it all depends how much time and effort you want to spend learning and using manual techniques.
A couple of add-ons are semi automated, so might be worth playing with:

• Token Generation and Analysis - you can use this to check the strength of things like session and anticsrf tokens
• Access Control Testing - you can use this to test your access control

Anyone got any other suggestions?

Cheers,

Simon